From d6712917f5842fb7124f85902b7e6f68f12f4865 Mon Sep 17 00:00:00 2001 From: Fedor Indutny Date: Wed, 15 Oct 2014 19:28:16 +0400 Subject: [PATCH] doc: document why SSL2/SSL3 is disabled PR-URL: https://github.com/joyent/node/pull/8551 Reviewed-By: Ben Noordhuis --- doc/api/tls.markdown | 11 ++++++++++- 1 file changed, 10 insertions(+), 1 deletion(-) diff --git a/doc/api/tls.markdown b/doc/api/tls.markdown index 68e7a099a5c..3c2fe6ea691 100644 --- a/doc/api/tls.markdown +++ b/doc/api/tls.markdown @@ -38,6 +38,14 @@ To create .pfx or .p12, do this: - `certfile`: all CA certs concatenated in one file like `cat ca1-cert.pem ca2-cert.pem > ca-cert.pem` +## Protocol support + +Node.js is compiled without SSL2/SSL3 protocol support by default. These +protocols are insecure and could be easily compromised as was shown by +[CVE-2014-3566][]. However, in some situations, it may cause +problems with legacy clients/servers (such as Internet Explorer 6). If you do +really wish to use them, please rebuild node.js with `./configure --with-ssl3`. + ## Client-initiated renegotiation attack mitigation @@ -573,4 +581,5 @@ The numeric representation of the remote port. For example, `443`. [Stream]: stream.html#stream_stream [SSL_METHODS]: http://www.openssl.org/docs/ssl/ssl.html#DEALING_WITH_PROTOCOL_METHODS [tls.Server]: #tls_class_tls_server -[SSL_CTX_set_options]: https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html \ No newline at end of file +[SSL_CTX_set_options]: https://www.openssl.org/docs/ssl/SSL_CTX_set_options.html +[CVE-2014-3566]: https://access.redhat.com/articles/1232123